[89546] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS,

daemon@ATHENA.MIT.EDU (Alain Hebert)
Fri Mar 24 23:08:36 2006

Date: Fri, 24 Mar 2006 23:08:11 -0500
From: Alain Hebert <ahebert@pubnix.net>
Reply-To: ahebert@pubnix.net
Cc: nanog@merit.edu
In-Reply-To: <4424B223.9050203@linuxbox.org>
Errors-To: owner-nanog@merit.edu


    Hi,

    My only big issue with all of this is that a lot of us are depending 
on sendmail and its developer to keep it bug free...

    But who are we to ask them to be accountable to us?

    What are we paying them for it?

    What make us so special that to command them, or whinne about it 
when its not as perfect as ones mind think things should be?

    We should praise them and accept whatever scrap they send us.

    Because at the end of the day, sendmail, its staff, and other 
contributor saves our butts.

    (time to go put on my fireproof jammies)

Gadi Evron wrote:

>
> Michael.Dillon@btradianz.com wrote:
>
>>> I wonder how many other unreported silently-patched
>>> vulnerabilities are out there?
>>
>>
>>
>> You seem to be inferring that it is a bad thing to silently
>> patch bugs which may have security implications. The OpenBSD
>
>
> Full disclosure, we believe in it.
>
>> team makes a habit of auditing software for flaws and fixing
>> them without waiting to find out whether they create actual
>> security vulnerabilities. They consider this to be a GOOD thing.
>
>
> It is a good thing.
>
>> I think that people who use software also consider it to
>> be good for software flaws to be fixed as quickly as possible.
>> Inevitably, this means that if the DEVELOPERS discover a flaw, they 
>> will fix it before they tell anyone about it. The
>> reason that security researchers publish bulletins about
>> security flaws is because they are unable to fix them either due to 
>> lack of skill, or more commonly, they just don't have permission to 
>> commit changes to the source code.
>>
>> Network operators are users of software and not developers,
>> therefore most network operators are happy when flaws are
>> fixed early and often.
>
>
> I wonder if the same network operators will be happy about potentially 
> millions of compromised sendmail servers globally.
>

-- 
Alain Hebert                                ahebert@pubnix.net   
PubNIX Inc.        
P.O. Box 175       Beaconsfield, Quebec     H9W 5T7	
tel 514-990-5911   http://www.pubnix.net    fax 514-990-9443


home help back first fref pref prev next nref lref last post